2006 Industry News Coverage (Archive)

Below is a comprehensive monthly review of the news and other media's coverage
of CVE. A brief summary of each news item is listed with its title, author
(if identified), date, and media source.

December 2006

SC Magazine, December 27, 2006

CVE was mentioned in a December 27, 2006 article entitled "Hot
or Not: Web Application Vulnerabilities" in SC
Magazine. The article is about a report on trends in the types of CVEs: "There's no doubt that web applications have become the attackers' target of choice. In September, Mitre Corp.'s Common Vulnerabilities and Exposures list - a tally of publicly disclosed vulnerabilities - ranked cross-site scripting in the number one slot. In fact, cross-site scripting attacks surpassed buffer overflow vulnerabilities. And four of the top five reported vulnerabilities proved to be within web applications."

CVE was mentioned in a November 15, 2006 article entitled "The
Rise of Cross-Site Scripting" on the Software
Development Times Web site. The article is about a report on trends in the types of CVEs: "[CVE List] data shows that the number of buffer overflow reports is holding steady at between 250 and 450 per year. Web vulnerabilities, on the other hand, have skyrocketed beginning in 2003. (In total, there were three times as many vulnerabilities reported in 2005 as there were in 2001.)" The article was written by Brian Chess.

SearchSecurity.com, November 9, 2006

CVE was mentioned in a November 9, 2006 article entitled "Software
security flaws begin and end with Web application security" on SearchSecurity.com. The article is about a report on trends in the types of CVEs: "According to a recent report published by the Common Vulnerabilities and Exposures (CVE) project, flaws in Web software are among the most reported security issues so far this year. It's easy to see why. After all, hackers are known to search for an easy target. Poorly configured or written Web applications are not only an easy target, taking the attacker straight to their goal — data, and lots of it — but also can be used to spread malware to anyone else who visits the compromised site." The article was written by Michael Cobb.

CVE was mentioned in an October 10, 2006 article entitled "Hot
New OS Flaw: Integer Overflow" on Dark
Reading. The article is about a report on trends in the types of CVEs: "Buffer overflow maintains its top ranking as the most exploited security flaw in operating systems, but integer overflows are now at number two, according to MITRE's ... Common Vulnerability and Exposures (CVE)." Other types of CVEs are also discussed. The article was written by Kelly Jackson Higgins.

CVE was mentioned in an article entitled "XSS
flaws jump to top of CVE rankings, but is the threat overblown?" in the September 22, 2006 issue of SC
Magazine. The article is a report about a study by Jeremiah Grossman, CTO of WhiteHat Security, who used the CVE List to determine that "XSS flaws are now the No. 1 flaw on MITRE's
Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago." The article also includes a quote by Grossman, who states: "This is important to realize because XSS is now ranked ... as the most prevalent vulnerability, even more prevalent than buffer overflows." The article was written by Frank Washkuch Jr.

CVE was mentioned briefly in an article entitled "ArcSight
simplfies SIM with new standard" in the August 22, 2006 issue of SC
Magazine. The main focus of the article is a report that "ArcSight announced the release of its Common Event Format (CEF), a standard which they believe will help the security information management (SIM) niche better serve the enterprise market."

CVE is mentioned when the authro states that Charles Kolodgy, research director for IDC, "likened the development to the vulnerability management world's CVE standard, which is used across numerous security vendors in order to simplify things for customers."

CVE was mentioned in an article entitled "Cybercrooks
constantly find new ways into PCs" in the August 3, 2006 issue of USA
TODAY. The article was a report from at Black
Hat Briefings 2006 on August 2nd - 3rd, at which CVE hosted an exhibitor/meeting booth. CVE is mentioned in the article as follows: "[The CVE List] provides common names for publicly known security holes and is a rough indicator of which applications are attracting hackers' attention." The article also includes a quote by Secure Elements, Inc., security director Scott Carpenter, who states: "The CVE identifier is the most oranges-to-oranges comparison you can make." The article was written by Byron Acohido.

CVE was the main topic of an article entitled "The
411 on CVE" in the July 2006 issue of Healthcare
Informatics Online. In the article the author describes some of the business impacts of CVE when he states: "Cost-effectiveness research done by both end users and vendors has shown CVE-based technology is worth the money." The author discusses comments about CVE by Larry Pesce, manager of information systems security for Care New England, Providence, R.I., who "cannot imagine doing his job without tools that support the industry-standard vulnerability dictionary known as CVE..." Pesce says that "the CVE-compatible automated penetration testing tool he uses (Core Impact from Core Security, Boston) has saved Care New England — which includes three hospitals, community wellness centers in Providence and Warwick, R.I., and a visiting nurses' association — the cost of hiring one to two full-time network administrators." The author further states: "Pesce's cost-savings analysis is backed by another industry veteran. Billy Austin, chief security officer of Saint Corporation, Bethesda, Md., which recently introduced a CVE-compatible integrated vulnerability scanning and penetration testing tool, [who] says his company's research shows users who take advantage of the CVE reference infrastructure save an average of 2.5 hours of staff time over doing Internet searches for any given vulnerability's attack vectors, likely impact of an exploit, and remediation steps." The article was written by Greg Goth.

CVE was the main topic of an article entitled "Functionality
Meets Terminology to Address Network Security Vulnerabilities" in the June 2006 issue of IEEE
Distributed Systems Online. The article describes what CVE is and the problems it solves, discusses the history of CVE, mentions CVE compatibility, includes a link to the CVE Web site, and notes that the U.S. National Institute of Standards and Technology's National
Vulnerability Database (NVD) is built wholly upon CVE identifiers. The article includes a quote from NVD project leader and CVE Editorial Board member Peter Mell, who states: "With 300-plus products and services using [CVE identifiers], we definitely need a database of information relative to the CVE standard, and the NVD database provides that. End users need a way to prioritize the constant stream of vulnerabilities that are coming out ... [and by] ... integrating the NVD and CVE, we've made a significant step toward helping people to do that." The author notes some of the business impacts of CVE via its CVE
Compatibility Program when he states: "CVE-compatible products have shown themselves to be cost-effective. Larry Pesce, manager of information systems security for Care New England, a Rhode Island-based healthcare network, says the use of a CVE-compatible penetration testing tool by vendor Core Security probably saves the organization the cost of one to two full-time employees a year. Billy Austin, chief security officer of Saint, a CVE-compatible vendor, says using such tools saves the typical security administrator 2.5 hours per vulnerability over doing manual searches."

The article also mentions MITRE's follow on standards efforts including Open
Vulnerability and Assessment Language (OVAL), which uses CVE identifiers as the basis for its standardized XML definitions that check for the presence of vulnerabilities on systems; Common
Malware Enumeration (CME), which provides single, common identifiers to virus threats to reduce public confusions during malware outbreaks and to facilitate the adoption of a shared, neutral indexing capability for malware; and Common
Weakness Enumeration (CWE), which is a community-developed formal list of common software weaknesses intended to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. The CWE
dictionary, which is based in part on the numerous identifiers on the CVE
List, is currently hosted on the CVE Web site. The article concludes with a quote by MITRE's CWE Project Manager, Robert A. Martin, who comments on the purpose behind these other information security standards efforts: "People are so used to selecting the vendor and that's kind of the core they build out from. What we want them to do is get married to enabling standards and then build around that."

CVE was mentioned in a June 2006 article inCommunications
of the ACM, Vol. 49 No. 6, entitled "Software Security Is Software Reliability." The main topic of the article is how vulnerabilities are often described in hacker terms rather than in the "software fault classes known by academic researchers." CVE is mentioned in a section entitled "Bug Class Evolution" when the author explains how he used "the Common Vulnerabilities and Exposures [List that] (cve.mitre.org) contains [17,208] entries of publicly know security issues" and mapped it in order to review the evolution of the bug classes. CVE is also mentioned in the caption for a chart showing "Common Vulnerabilities and Exposures reclassified using terms from software reliability research" from 1999 through 2005. The article was written by Felix Lindner.

CVE was the main focus of a February 14, 2006 article on VoIPLoop.com entitled "A
CVE is not a Resume-It's a Threat." The article explains what CVE is and the problems it addresses; states the number of names currently on the CVE List; mentions the current number of officially CVE-Compatible products and the number of products with declarations to be CVE-compatible; includes a link to the CVE Web site; and discusses CVE-2005-4050 and CVE-2005-3804, which address VoIP vulnerabilities. The author also recommends that readers use CVE-compatible products and that they check the CVE List regularly for new VoIP-specific vulnerabilities. The article was written by Gary Audin.

BigFix Web Site, February 1, 2006

CVE was mentioned in the "Product and Technology Advances" section of a February 1, 2006 news release by BigFix,
Inc. entitled "BigFix
Accelerates Business Momentum in Fourth Quarter and 2005 Overall." CVE was mentioned as follows: "[BigFix] announced support for important industry standards in 2005, including Cisco NAC, Common Vulnerability Exposures (CVE) compatibility certification, Common Vulnerability Scoring System (CVSS), Open Vulnerability [and] Assessment Language (OVAL), SANS Institute best practices, and US Common Criteria. Expanding standards support enhances customer value of the BigFix solutions by providing consolidated integration and expedited use of vulnerability intelligence information from multiple sources."

MITRE Digest, February 2006

CVE and OVAL were the main topics of a February 2006 MITRE
Digest article on the MITRE Corporation Web site entitled "Information
Assurance Industry Uses CVE and OVAL to Identify Vulnerabilities." The article describes how "as the number of software vulnerabilities continues to increase, MITRE's OVAL and CVE initiatives are becoming standards in the information assurance industry." The article further describes how the growing list of CVE names "ensures enhanced interoperability and security for enterprises" and describes how "OVAL identifies vulnerabilities and configuration issues."

The article concludes with a section on how "MITRE is leveraging the CVE and OVAL Initiatives to help the [U.S.] Department of Defense (DoD) transform its enterprise incident and remediation management efforts" and how "as a result, the DoD will be fundamentally changing the way it deals with vulnerabilities and configuration issues in the commercial and open source components of its infrastructure and mission systems." The article was written by David Van Cleave.

CVE was mentioned in an opinion article entitled "Innovation Still Exists" in the January 20, 2006 issue of SC
Magazine. CVE and OVAL are mentioned as two of the projects the author was most impressed with at the 32nd
Annual CSI Computer Security Conference: "Next stop was MITRE's CVE booth. I've been a fan of CVE for as long as it's been in existence. Their big news is OVAL (Open Vulnerability and Assessment Language). This is an extremely cool way to manage vulnerabilities and vulnerability assessments. Again, my team is working with this and merging it with ProDiscover IR using ProScript to do automated host-based vulnerability assessment as part of incident response." The article was written by Peter Stephenson of Norwich University.

CVE is mentioned in reference to comments by CVE List Editor Steve Christey that the "variations in editorial policy and lack of cross-referencing between databases as well as unmeasurable biases in the research community and disclosure policy mean that the databases—or refined vulnerability information (RVI) sources—do not produce statistics that can be meaningfully compared." The article also includes a quote by Christey, who further states: "In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and comparable statistics. In general, consumers should treat current statistics as suggestive, not conclusive."

All four databases surveyed for the article—NVD, the Computer Emergency Response Team (CERT) Coordination Center's database, the Open-Source Vulnerability Database (OSVDB), and the Symantec Vulnerability Database—are listed in the CVE-Compatible
Products and Services section. The article was written by Robert Lemos.